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dation information from the first value 
by means of a nonpublic derivation 
having an inverse function. The valida- 
tion word is then associated with the 
data and stored in the nonsecure por- 
tion. Verification is accomplished by 
deriving 430 a first value from the data 
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SPECIFICATION 

A system and method for guaranteeing tho Integrity of a gambling system 

5 This invention relates to secure systems, such os gambling apparatus, and more particularly jo a system for 5 
guaranteeing the integrity of information content in the secure system, such as the control program of 
gambling apparatus. 

It is often the case in electronic gambling systems that a microprocessor electronics based gambling 
system can be customized for different types of play by changing a memory device (such as an EPROM) or 

10 by changing the memory device contents (such os by remotely downloading data into a read-write memory 10 
•RAM or EPROM). However, it is currently the practice of some state gambling commissions, such as i>iew 
Jersey, U.S.A. to require s sea! be applied to oil circuitry on each circuit board {including the EPROM or RAM) 
as part of the certification process. Thus, inventories must be maintained of the sealed boards for each of a 
piuraiily ui* machines, both ir» mafiufo'turirig output ar.d moifttoiriirig a repair stock piie. This approach is 

15 both costly and inefficient, inasmuch as many machines have a common nucleus and utilize the same circuit ^ 
beard with a different control memory program for each of a plurality of games being selected by 
interchanging a memory device or its contents. 

Although this approach is costly and cumbersome, there has heretofore been no alternative Technique 
provided to perform the important function of guaranteeing thft minority of the gambling machines. 

20 In accordance with one aspect of the present invention, a system is provided wherein data and associated 2 D 
validation information stored in a nonsecure location are verified as to integrity by cryptographic techniques. 
Good integrity verification activates the system to operate in a first mode, and bad integrity verification 
activates the system to operate in a second mode. In a preferred embodiment, the system is a gambling 
system, with a first mode corresponding to user responsive operation and the second mode corresponding 

25 to an alarm mode. Other systems whore tho present invention would oe useful include postal metering, 2 5 
electronic mail, electronic funds transfer ond other secure data processing systems. 

In accordance with another aspect of the present invention, the system has an interface port for 
communicating with an external device, such as a central control computer. Data and associated validation 
information are loaded into memory in tho nonsecure location, and the system verifies the integrity of the 

30 data and associated validation information os stored in the memory by cryptographic techniques operatively 39 
relating the data to the associated validation word. The system is activated to either 3 first or second 
operative mode responsive to a verification result of good or bad integrity, respectively. 

For example, a central computer could download information to one or a plurality of remotely located 
systems which would coiS'i verify the integrity of the information received and stored in its respective 

35 memory. Where the remotely located systems ore gambling systems, the downloaded information can be 35 
odds, conuc! programs, random number j utids, etc. 

In accordance with one of the illustrated embodiments of the present invention, a gambling apparatus is 
disuosed hcvirg a secure portion which is Cut liHtiti onJ sealed by the Gaming Commission, and having a 
nonsecure porron. not sealed by the Gaming Commission, the integrity of which is verified by the secure 

40 portion. The secure ponron of trie gambling apparatus comprises a circuit board having 3 t antral processor 40 
and a first memory. The nonsecure portion of the gambling apparatus is comprise* of 3 second portion of 
the circuit board, or an independent circuit board, having 0 second memory such as a nonsecure ROM, 
EPROM, or read-write memory (RAM). Utilizing cryptographic techniques, thy integrity of the nonsecure 
portion of the system is verified by the secure portion of the system. 

45 The gambling system is operable in thrco modes, and powers up in a test mode for verifying the integrity 45 
cf the gambling system. Where a positive verification is made that the nonsecure memory (e.g. ROM) has 
satisfactory integrity, the system is activaterl to on operable mode responsive to player user control inputs. 
Alternatively, where the results of tho test mode is a negative verification showing the nonsecure memory 
does not have good integrity, and gambling system is forced to an inoperable mode nonresponsive to player 

50 user control inputs, and an alarm is activated. 50 
The nonsecure portion of the circuit boord, the integrity of which is cryptographir.ally detectable, has a first 
nonvolatile memory (such as a ROM, PROM, EPROM or EEPROM nonvolatile memory or a read-write |RAM| 
volatile memory) having a vaUdation word stored therein, the validation word being derived from the first 
memory contents according to a first relationship. The validation word is formed by deriving a first value 

55 from the first memory's contents. The validation word is then derived from the first value by means of a 55 
nonpublic derivation having an inverse function. The validation word is then combined to form a part of the 
contents of the first memory. 

The secure portion of the circuit board has piocessor ond a second nonvolatile memory mounted 
thereon. The integrity of the secure portion is overt and detectable, such as by physical seal. The secure 

50 portion of the board includes means for deriving 3 second value from the validation word of the first memory 50 
mesns of the inverse function. The secure portion also includes means for comparing the first and second 
values, and means tor verifying the integrity of the second memory. The verification means activates the 
gaming system to the user reponsivc ploy mode responsive to a comparison result of equality, or activates 
the gaming system to the user nonresponsive (alarm) mode responsive to a comparison result of inequality. 

55 The relationship for deriving the first value, the nonpublic relationship, ond the inverse relationship of the 55 
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non-public relationship, are such f hoi interrelating or cross deriving cr.e to another is very complex and an 
extremely difficult and time conmming task. In a preferred embodiment, the encryption function is secret 
and the* inverse function is public. 

A better understanding of the invention may be had from the following detailed examples, the detailed 
5 description being taken in conjunction with the accompanying drawings in which: ^ 

Figure f is a perspective view of a gaming system such as a video slot gambling machine, illustrating one 
apparatus which can utilise the presont invention; 

Figure 2 is a top view showing ono embodiment of a circuit board as contained in the gaming system of 
Figure 1 having a secure portion and a nonsecure portion; 
10 Figure 3 is a flow chart illustrating one embodiment of the encryption method utilized in accordance with ^ 
one embodiment of the present invention; 

Figure 4 is a flow chart of the decryption test method as utilized in accordance with one embodiment of the 
present invention; and 

Figure SA-Oare computer program hstings lor one embodiment of the present mention. 
15 Referring now to Figure 1 , a gaming system is shown illustrative of one embodiment of the present ^ g 

invention. A housing 100 is provided which contains the necessary human player control interfaces as well 
as electronic circuitry and mechanical circuitry. Human player control inputs are provided, such as push 
buttons 110 and control handle 120. A viewing area, 130 such as video screen is provided on the front of the 
cabinet housing 100 for player vowing of the gaming machine response to player inputs. Coin shoots 140 
20 are provided for accepting player con» ond returning bent coins. The number of credits which the player has 2 Q 
as well as the active game display arc provided on the visual display means 130. For example, the gaming 
system of Figure 1 ^an be a tlot machine gambling system having 3, 4, or any number of reels, or may 
alternatively h* — *^ e r typo of yarning or gambling system. Where applicbble, a pay out shoot 1*5 may be 
provided for outpuuing coins to winning players. 
25 The housing 100 also contain tir. ironic circuit board 200, as shown in Figure 2, which provides the 25 
control and game electronic circu»try necessary to create the desired gambling system in conjunction with 
the video display 130 and user iM<;rfoce controls 1 10 and 120. Additionally, the housing 100 contains 
necessary power ^uppiies. limit switches, etc. necessary to implement the remainder of the desired gaming 
system. 

30 Referring to Figure 2, the circuit board 200 as discussed with reference to Figure 1 is shown in block 30 
digram form. The circuit bo-jffi 200 may be comprised of a single circuit board or of a plurality of circuit 
boards with appropriate int^rr.onneciions provided. The circuit board 200 is comprised of two functionally 
separate units, a sealed secured portion 210 and a nonsealed, nonsecure circuit portion 250. The sealed 
circuit board portion 210. as illustrated, contains a microprocessor 220, a read only memory (such as a ROM 
35 "" ai — - - 



35 



PROM, or EPROM), ond mrsc':J'anr;oua electronic and electromechanical circuitry 240. The sealed portion of 
the circuit board 210 represents the f,eatr?d portion of the gaming system in a physical sealing manner which 
wouid comply v/rh a particular Stale Gaming Commission's requirements. 

The nonseaied ponton of ;l.e Ufcmt hoard. 2£0, contains an interconnection socket 260 for a memory 
device, (e.g. for a RAM, ROM, PROM, or EPROM). When the socket 260 provides interconnection for a 
40 read-write memory, RAM or EPROM, the data contents of the read-write memory can be downloaded into 40 
the read write memory. For e/ample, a control program can be down-loaded from a remote site into the 
read-write memory of a local gambling system via an interface pon 270 (Figure 2) of the local gambling 
sysiem ana tne downloaded program verified by the secure portion of the circuit board in accordance with 
the teachings of the present invention. Multiple gambling systems can be configured to meet crowd 
AS selection patterns by specifying control programs either locally or remotely for each system. The systems 
can also be selectively forced inoperative by downloading appropriate control programs. This portion of the 
circuit board is not physically staled, and thus the memory inserted into the ROM socket 260 can easily be 
changed or interchanged . While this is desirable from the view point of minimizing spare parts stock piling 
and maximizing manufacturing flexibility, the nonsealed socket does pose security risks and problems. 
50 However, in accordance with the present invention, cryptographic techniques are utilized to verify the 
mtegmy of the nonsecure portion of the circuit board, 250, via means of cryptographic processing by the 
secure portion of the circuit board, 210. The microprocessor 220 may be of any type, with its selection being 
made based upon desired operating speed, induction set capabilities, and cost considerations, fn addition, 
the microprocessor 220 may be comprised of a plurality of circuits including a general purpose 
55 microprocessor (of a 4, 3, 16, 32, etc. bit* register length), in conjunction with special purpose peripheral 
processors and interface chips, such as number crunchers, fast Fourier processors, fast multipliers, etc 
Referring to Figures 3 and A, thf: methodology utilized to accomplish the invention of the illustrated 
m ° rC ftafJily Uhf! ' fSl00U bY rcferen " ^0 the encryption (Figure 3) and decryption 

Irl^Z^ 9 10 f l 9 H re 3 : c ' ncr «' l,on P'<*«» 'or creating a verrfiably secure memory for insertion eo 

into the nonsealed socket 260 M F, f ,ure 2) is illustrated in flow chart form. The procedure starts at step 300 
S"S" ep 310 the ^ " ***** °< """"cure memory are designated as a validation vloS 
nrnn7/m h k h re K ma,n ' n y stents 0 f the nonsecure memory which is designed as the vector R. A control 

" ^' C p h h3S be * n *vft'0P«J * loaded into the encryption systems memory and designated as the 
contents of the nonsealed and nocture memory (the vector R). The validation word W is as yet undefined, 65 
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but wilf represent the encrypted key to insure the Integrity of the remainder of the contents of the memory. 
Proceeding to step 320 an integer value F(R) is computed from the vector R by means of a one way public 
function F. F is a one way function mapping R into an integer whose magnitude is comparable to that of one 
element of R. F need not be one to one, but should be such that changing R while leaving F(R) unchanged is a 
5 difficult task. The function F is a public function in that it is also utilized in the encryption process and may be 5 
discovered or known by memoers or tne public. 

Proceeding to step 330, a validation word W is computed from the value F(R) by means of a secret function 
D which maps words into words with an inverse function E which is a public encryption function. Thus, W = 
D(F{R)), and EiD) = 1. Thus, when the function E is utilized in the encryption process, c (W) should equal F(R) 

-,0 only when the contents of the memory {the vector R and the validation word W) has not been tampered with, 
Thus, the integrity of the contents of the nonsealed nonsecure memory can be verified. 

Proceeding to step 340, the validation word W is placed in the memory locations which had been sat asirt«> 
as the !ss: N bytes of the nonseaied memory. At this point the encryption proces has ended as evidenced at 
step 350. The contents of the nonsealed memory {vector R) plus the validation word (appropriately located in 

^5 the last N bytes) can be committed to the nonsecure and nonsealed memory {e.g. ROM, EPROM, RAM). 15 
For further details on one way mapping functions, snd public key cyrptography concepts, reference is 
made to the literature in general, such as "A Method for Obtaining Digital Signatures and Public Key 
Cryptocism Systems", by R.L Rivest, et ah, as published in the February, 1978, Volume 21, Number 2 issue of 
the Communications of the ACM, at pages 120-126, hereby incorporated herein by reference. A second 

20 reference, "The Mathematics of Public Key Cryptography" by Martin E. Hellman, published in Scientific 20 
American, pages 146-157, 19, deals generally with the mathematics involved in public key cryptography, and 
is hereby incorporated herein by reference. Both of the aforementioned references deal with the general 
problem of secure electronics communication system, either fo.- message transfer, or for funds transfer. The 
references address themselves to techniques to prevent tampering with new electronic comr runication 

25 systems and fund transfer systems and means to protect the vast quantities of private information such as 25 
credit records and medical history stored in computer data banks. Encryption and decryp* tion are utilized for 
transforming information so that it is unintelligible and therefore useless to those who are not meant to have 
access to it. Secondly, cryptographic techniques are utilized to insure that messages sent have not been 
tampered with, of critical concern in electronic funds transfer. 

3Q Referring to Figure 4, the decryption process is illustrated in flow chart form, illustrating one embodiment 30 
of the present invention. The process flow starts when the gambling system of Figure 1 is powered up, at 
step 400. The process proceeds to step 410 where the system is set to the test mode, wherein the system is 
nonresponsive to players control inputs. The contents of the nonsealed portion of the circuit board are 
examined by the secure sealed portion of the circuit board, by defining the last N bytes of the nonsealed 

35 memory contents as the validation word W, and defining the remaining nonsealed memory contents as a 35 
vector R, whose elements are the individual words of the nonsealed memory. 

Proceeding, as ii. istrated at step 430, the integer ve'L-e is computed for the nonsealed memory 
contents represented as the vector R by means of the public function F. Next, an integer value E(W) is 
computed from the validation word V/ based upon the public encryption function E. It will be recalled that the 

4 q function E is the inverse of the function 0. Thus, E(W) =• E(D(F(R)l) = F(R) only when the contents of the 40 
nonsealed memory have not been tampered with. 

The decryption process proceeds as illustrated at step 450, where the computed value F(R) is compared to 
the computed value E(W). If F(R) = £{VV), then the integrity of the nonsealed memory has been positively 
verified, end the gaming system flow proceeds as illustrated at step 480. The gaming system is set to a 

45 player resDonsive operable mode, wherein the coin chute and user controls are activated and the gaming 45 
system becomes playable, as illustrated at step 490. The control program contained in the nonsealed 
memory is executed by the processor in the sealed portion of the circuit board, 210. and the gaming system 
operation proceeds under supervision of the control program. At this point, the decryption and integrity 
verification procedure has been completed, as illustrated at step 500. 

Referring back to decision block 450, where the result of the comparison of F(R) and E(W) results in a 50 
determination of inequality, the procedureal flow continues as illustrated at step 460. The gaming system of 
Figure 1 is set to a player nonresponsive alarm mode. The user controls become inoperative, and the system 
proceeds to execute an alarm control program, as preferably stored in the secure sealed ROM illustrated at 
step 470. At this point the machine is disabled, and the operator is informed of the error condition. The 

55 tainted nonsealed memory device is removed from the nonsealed socket and the operator can choose 55 
between shutting the system down, or trying an alternte non-sealed memory integrated circuit. Where the 
system is shut down, the procedural flow is ended, n~ Illustrated at block 500. Where a new integrated circuit 
is placed in the ROM socket 460. the decryption procedure repeats starting again at step 400 with power up. 
In either event, the tainted memory chio should be turned over to authorities for evaluation as to tampering 

60 or simply system or manufacturing error. 60 
Thus, in accordance with the discussion of the illustrated embodiment, herein, the ROM 230 in the sealed 
portion of the circuit board, 210, contains a verification program to monitor the security of the nonsealed 
portion of the circuit board 250 containing the plugged in nonsealed memory 260. The function F is a 
plublicly available function such that the signature F(R) provides a publicly available signature of the 

55 nonsealed memory contents less the validation check word W, while the encryption function E is publicly 65 
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available to provide for a publicly available oner yp'ion key check word EIW). By computing ihe validation 
check word W using a secret decryption key. function 0. which is the inverse of the public encryption 
function E, the integrity of the entire contents of the nonsealed memory (both the validation word W and the 
remaining contents) can be protected and detected in accordance with the present invention's teachings. 
6 An example may be illustrative. Presume tho nonsealed mfemory to be protected is an EPROM having a & 
capacity of 2CK8 bytes. The last 8 bytes are sot oside as the validation word W, and the remainder is 
partitioned into 408 five byte words (Do, D, ... D^ 7 ). Define 408 nrftsnecified integers IPi, P 2 , ... Pdo?) and an 
additional prespecified integer P^. Additionally, o large composite integer XNBase is prespecified. F(R) and 
E(W) can then be computed as follows: 

10 10 

* — 

F{R) =1 Wi P, (moduloXNBr,f;e). 
i = o 

15 15 
E(W) = W P408 (modulo XNBase). 

The validation check procedure can bo modified slightly such that if F(R) plus E(W) (modulo XNBase) equal 

2o to 0 then the integrity of the EPROM is questioned and the system goes to the alarm mode. This example in 2 o 
its modified format has been implemented with a BASIC language program "»nd has been successfully tested 
on an EPRCM from an electronic slot machine. Tho BASIC language program and EPROM object code 
hexdump lister. : = ,s*ra!ed In F ; 3>j'es 5M. WHJJj? BASIC language was utilized in the illustrated program 
of Figure 5, any computer programming language could bo utilized with an appropriate system. In the 

25 illustrated system of Figure 1 -0, all arithmetic operations were exact modulo (XNBase), double precision 25 
numbers exact to 16 digits. However, other cryptographic mathematical techniques could be utilized equally 
well, and implemented in accordance with the teachings of the present invention. 

It will be understood by those skilled in tho art that other functional and operative relationships between 
the data and validation information con ho used consistent with the teachings of the present invention. 

30 Furthermore, in performing the verification function, operative relationships in addition to or instead of ^0 
comparison can be used consistent with tho teachings of the present invention. 

While there have been described abovo various embodiments of system and methods for guaranteeing 
the integrity of the control program of 0 gambling 1 nachino having sealed and nonsealed portions, for the 
purpose of illustrating the manner in which iho Invention may be used to advantage, it will be appreciated 

35 that the invention is not limited thereto. Accordingly, any modification, variation, or equivalent arrangement 35 
within the scope of the accompanying claims should be considered to be within the scope of the invention. 

CLAIMS 

40 1 . A system for selectively operating in onu of a plurality of modes responsive to a determined system 40 
integrity comprising: 

(a) a nonsecure portion of the system having data and validation information in a portion therein, 
id/ a secure portion of the system comprised of: 
U ) means for deriving a first value from the data -according to a first relationship; 
45 (2) means for deriving a second value from eaid validation information by means of a second A * 
relationship, 0 

(3) means for operatively relating said first and second values to determine system integrity, 
<4) means for activating said system to a Selected operational mode responsive to said means for 
operatively relating, 

50 . 2. The system as in Claim 1 further characterized in thct said nonsecure portion comprises a memory. 

3. The system as in Claim 1 wherein the inlegr ity of the nonsecure portion is cryptographically verifiable, 
and the integrity of the secure portion is noncryptographically verifiable. 

4. The system as in Claim 1 further characterized in that said validation information is derived from said 
data according to first and third relationships. 

55 5. The system as in Claim 4 wherein said second relationship is the inverse of the third relationship. 55 

6. The system as in Claim 1 further characterized in that said means for operatively relating provides bad 
ond good system integrity outputs indicative of the determined system integrity. 

7. The system as in Claim 6 wherein said means for activating said system activates said system to a first 
operations mode responsive to good system integrity output and activates said system to a second 

50 operational mode to a bad system integrity output. 

* The system as in Claim 1 further characterized in that said system is activated to a first operational 6 ° 
mode responsive to a determination of good sytlcm integrity and said system is activated to a second 
operational mode responsive to a determination of bad system integrity 

on!" J He T Xe ? 35 l 1 C,alm 7 ° r 8 fur,hCf ch *'<*terizcd in that said first operational mode is a normal 
65 operational mode, and said second operation*! mode is an alarm mode. 

65 
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10. The system as in Claim 4 or 5 wherein said first and second relationships are pubiic and said third ■ 
relationship is secret. 

11. The system as in Claim 4 or 5 wherein said first, second and third relationships are one way functions. 
\2. The system as in Claim \ wherein said first relationship is further characterized in thai changing any 

5 of the data changes the first value. 5 

13. They system as in Claim 1 further characterized as a gaming system. 

14. The system as in Claims 1 or 2 or 3 or 4 or 5 or 6 or 7 or 8 or 12 further characterized as a gaming 
system. 

15. The system as in Claim 10 further characterized as a gaming system. 

10 16. The system as in Claim 11 further characterized as a gaming system. in 

17. The system as in Claim 9 further characterized as a gaming system, 

18. The system as in Claim 1 7 wherein said noraml operation mode is a player-responsive mode. 

19. The system as in Claim 13 further characterized in that said secure portion is physically sealed. 

20. A system as in Claim 1 or 13 further characterized in that said data and validation information are 

15 loaded into said nonsecure portion from an apparatus remotely located relative to the system, -15 

21 . The system as in Claim 1 or 13 wherein said nonsecure portion includes a memory, and said secure 
portion includes a processor and a memory, 

22. The system asin Claim 1 or 13 further comprising; 

interface means for communicating with a device external to the system, 
20 means for loading the nonsecure portion with received communications responsive to the interface 20 
means. 

23. The system as in Claim 22 wherein said received communications is further characterized as said 
data and validation information. 

24. The system as in Claim 22 further comprising: 

25 means for communicating the determined system integrity to a device external to the system. 25 

25. The system as in Claim 1 or 13 wherein said secure portion of the system is remotely located relative 
to said nonsecure portion. 

26. The system as in Claim 1 or 13 wherein said secure portion comprises a processor and a memory, 
wherein said processor executes instructions from said secure memory to derive said first and second 

30 values. 30 

27. The system as in Claim 8 further characterized in that said first mode is a player responsive mode, 
and said second mode is a player nonresponsive mode. 

28. The method as in Claim 27 wherein said second mode activates an alarm. 

29. A system for insuring the integrity of a remotely located downloaded memory comprising; 

35 (a) a controller including encryption circuitry for deriving validation information from data by means of a 35 
first relationship and a second relationship having an inverse, 
(bf a system, remotely located relative to *?\irl controller, including a memory, 
(c) means for communicating data and validation information from said controller to said remotely 
located system for storage in said memory, 
40 (d) verification means comprised of: 40 
(11 means for deriving a first value from the data contents of the memory by said firs' relationship; 
(2) means for deriving a second value from said validation information by said inverse relationship; 
(31 means for operatively relating said first and second va)ucs lor providing an output indicative of 
system integerity, and 

45 (41 means for manifesting an action responsive to said system integrity output. 45 

30. The system as in Claim 29 wherein said verification means is remotely located relative to said 
controller. 

31. The system as in Claim 30 further characterized in that said first relationship and inverse second 
relationship are public and said second relationship is secret. 

50 32. The system as in Claim 30 wherein said remotely located system is a gaming system. 50 

33. The system as in Claim 30 wherein said first, second and inverse relationships are one- way mapping 
functions. 

34. The system as in claim 30 wherein said action is further characterized as activating said system to a 
norma! operable mode responsive to an output of good system integrity, and activating said system to an 

55 alarm mode responsive to an output of bad system integrity. 55 

35. The system as in Claim 30 wherein caid remotely located system is further comprised of data 
processing means. 

36. The system as in Claim 30 wherein said controller is operatively coupled to selectively communicate 
with a plurality of remotely located systems. 

50 37. The system as in Claim 36 further characterized in that at least one of said remotely located systems 60 
is a gaming system. 

38. The system as in Claim 37 wherein each of said remotely located systems is operatively configured 
responsive to communications from said controller to the respective remotely located system. 

39. A gaming system comprising: 

65 (a) a circuit board; 65 
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lb) " nonsecure portion of the circuit board, the integrity of which is cryptographicaHy detectable, havtr.g 
a memory having data and validation information stored therein, wherein the validation information is 
derived from the data information according to a public first relationship and a secret second relationship 
having a public inverse relationship; ^fi^^fc 
5 (c) a secure portion of tho circuit board having processing electronic^^^J^Bhereon, the integrity of 5 
the secure portion being detectable, ^1 P 

wherein said secure portion of the circuit board is further comprised nf : 
(1 ) means for deriving 0 fif &t value from the data omfpr, atopm according to he public first 
relationship, 

10 (2) means for deriving o6econd value from said validation word by means of said public inverse 1Q 
relationship, 

(3) means for operating on taid first and second values to provide an integrity signal, 

(4) means for activating taid system to a first mode responsive to a first integrity signal indicative of 
good system integrity, and 

^5 (5) means for activating taid system to a second mode responsive to a second integrity signal ^ 
indicative of bad system integrity. 

40. The system as in Claim 39 wherein said secure portion is further comprised of a processor and a 
second memory. 

41. The system as in Claim 39 wherein said first, second and inverse second relationships are one-way 

20 functions, 20 

42. A system as in Claim 39: 

wherein said first relationship has the characteristic that changing the contents of said memory changes 
said first v? 1 ' 

43. The system of Claim 39: 

25 wherein said second rel£>lior«.*!»p is a one-way trap-door function. 25 

44. A gaming system comprising: 

la) a cabinet having a display area and a user control; 

(b) a circuit board mounted within the cabinet; 

(c) a nonsecure portion of thn circuit board, the integrity of which is cryptographicaHy detectable, having 

30 a memory having data and validation information stored therein, wherein the validation information is 30 
derived, by means of a second relationship having an inverse relationship, from a first value derived from 
and changing according to a first relationship responsive to the data contents; 
fd) a secure portion of the circuit board having verifiably good integrity comprising: 

(1) means for deriving a tecond value from the data contents of the first memory according to the first 

35 relationship, ^ 

(2) means for deriving 3 third value from said validation information by means of said inverse 
relationship, 

13) means for providing an integrity output responsive to opening on said second and third values, 
(4) means for activating taid system to a first mode responsive to a first integrity output, and 
40 (5) means for activating taid system to a second mode responsive to a second integrity output. 49 

45. The sysrem as in Clo'tm 44 wherein said first integrity output is indicative of good system integrity, 
and said second integrity output is indicative of bad system integrity. 

46. The system as in Claim 45 wherein said first mode is further characterized as activating said system 
to a user control responsive system. 

45 47. The system as in Claim 45 or 46 wherein said second mode is further characterized as activating an a* 
alarm. 

48. A gaming system operable in a player responsive mode and an alarm mode, comprising: 

a first memory having data and validation information contents therein, wherein said validation 
information is operatively associated with the remaining contents of the nonsecure memory 
50 a secure memory; ^ 
means for validating the integrity 0 f the first memory comprising: 

means for executing instructions from the secure memory so as to derive a first value operatively 
associated with the data contenu of the first memory; 

means for executing instructions from the secure memory so as to derive a second value operatively 
55 associated with the validation information; 

means for providing a good/faulty system integrity result output responsive to operatively relating said ^ 
first and second values; 

means for activating t/oid gaming system to said alarm mode responsive to a result output of faulty system 
integrity; and 

60 means for activating said gaming system to said player-responsive mode responsive to a result output of 60 
good system integrity. K DU 

49. The system as in Claim 48: 

wherein said firs! relationship has the characteristic that changing the contents of said first memory 
changes said first value. 
65 50 - A gaming system as in Claim 48 or 49: 

65 



wherein said validation information is derived from said first value. 

51. The system as in Claim 48 wherein said first, second and inverse second relationships are one-way 
functions. 

52. A system for insuring the integrity of information loaded into the system, comprising : 

5 (a) a memory having initially undefined contents; 5 

(b) means for loading data and validation information into the contents of the memory wherein said data 
is related to said validation information according to a public first and a secret second relationship; 

(c) means for verifying the integrity of the loaded contents comprising: 

( i ; means for deriving a first value according to the first relationship responsive to the data contents of 
10 the memory, jq 
(2) means for deriving a second value according to a public inverse of the second relationship 
responsive to the validation information, 

, (31 means for operatively relating the first and second values to provide an integrity output indicative 
of good and bad integrity of the memory contents, 
15 (d) means i'or controlling the operable status of the system further comprising: ^5 

(1 ) means for activating said system to a normal operational mode responsive to the good integrity 
output, and 

(2) means for activating said system to an alarm mode responsive to said bod integrity output. 

53. The system as in Claim 52: 

20 wherein said system is a gaming system. 20 
5a. The system as in Claim 53 further comprising: 
an interface port for communicating with an external device; 

means responsive to said interface port for loading said memory with the communications received from 
said external device. 

25 55. The system as in Claim 53 or 54 wherein said memory is located in a nonsecure portion of the second 25 
system, and said means for verifying the integrity and means for controlling the operable status are located 
in a secure portion of the second system. 

56. The system as in Claim 52 or 53 having user responsive input means, wherein said normal 
operational mode is further characterized as being responsive to said user responsive input means. 
30 57. A method of controlling the operable mode of a system having a memory with data and validation 30 
information contents, comprising the steps of: 
deriving a first value from the data contents according to a first relationship, 
deriving a second value from the validation information according to a second relationship; 
operatively relating said first and second values«o as to determine system integrity, 
35 activating the system to a selected operative mode responsive to the determined system integrity. 35 

58. The method as in Claim 57 further characterized in that said system is a gaming system. 

59. The method as in Claim 57 further characterized in that said validation information is derived from 
said data content according to the first relationship and an inverse to the second relationship. 

60. The method as in Claim 59 further comprising the steps of: 

40 activating the system to a normal operative mode responsive to a determination of good system integrity, 40 
and 

activating said system to an alarm operative mode responsive to a determination of bad system integrity. 
6t . The method as in Claim 57 or 58 further comprising the steps of : 
making the first and second relationships public; 
45 maintaining the inverse to the second relationship in secrecy. 45 

62. The method as in Claim 57 or 58 further comprising the steps of: 

deriving said first value by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first value. 

63. The method as in Claim 62 wherein said validation information is derived from said first value, further 

50 comprising the steps of: 50 
determining said second value from said validation information by means of on inverse derivation to that 
by which the validation information is obtained from the first value. 

64. A method for creating a memory having verifiable secure data contents comprising the steps of: 
deriving a first value from the data contents of the memory by a first relationship wherein changing the 

55 contents of the memory changes the first value; 55 
deriving a validation value from said first value by a second relationship having an inverse 
relationship;and 
storing and vaI;do:: / ? r, vr*!je in said memory contents. 

65. A method of verifying the integrity of a memory having data content and validation value content 

60 related to said data content by first and second relationships, comprising the steps of: 60 
deriving a first value from the data content of the memory by the first relationship; 
deriving a second value from said validation value by an inverse to said second relationship; 
providing an integrity output indicative of good and bad system integrity responsive to operatively 
relating the first value and the second value; 

65 providing a first activation signal responsvie to said integrity output inrficntinrj good system integrity and 65 
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Drov iding a second 3Ctivaiion signal responsive to said integrity output indicating bad system integrity. 

66. The method of Cla»m G4 or 65 wherein said first relationship and inverse second relationship are 
public and said second relations V»p is secret. 
68. In a system, having a seolod secure circuit portion comprising - processor and a first memory, said 
5 system also having an insecure circuit portion comprising a second memory, a method of insuring the 
integrity of the insecure portion of the system comprising the steps of; 

deriving a first value from the cioir* content of the second memory by a first relationship wherein changing 
the contents of the second memory changes the first value; 

deriving a validation value from siiicj first vaTue by a second relationship having an inverse relationship 
and 

storing said validation V3lue at a predefined location in said second memory. 
CO. The method as in Claim 68 further comprising the steps o*\ 

(a) verifying the integrity of the second memory by means of sard secure portion, further comprising the 

steps of: 

U) deriving a third value from the contents of the second memory by said first relationship; 
(?) deriving a fourth value from said validation value by said inverse relationship; and 
(3) operativeiy relating the third value to the fourth value and providing a relational output; and 
lb) controlling the operable stains of the system further comprising the steps of: 

( 1 ) activating said gamifuj ;.yr,i(;m to a normal-responsive mode responsive to said relational output 
2o indicating good system integrity, and 

(2) activating the system to on .'il.irm mode responsive to said relational output indicating bad system 
integrity. 

70. The metho ■ z* Harm 68 n' r >° '■•r»^nr rharart e ri?ed in that sak' first and inverse second relationships 
are pubiic ar.d . ^conrj relationship is secret. 

71. The method of Claim 70 futihrr characterized in that said second memory is nonvolatile. 

72. The method of Claim G8 or t;'j further characterized in that system is a gaming system. 

73. The method of Claim 69 further characterized in that said normal-responsive mode is a player 
responsive mode, and said alarm mode is a player nonresponsive mode. 

7i. A method of Claim 7 1 wherein s;mi step of operativeiy relating further comprises the steps of: 
comparing the magnitude of said first and second values, and indicating said good system integrity by a 
relational result of equality, ;imJ indicating said bad system integrity by a relational result of inequality. 

75. Ti,e r.-.einod of Claim 71 further characterized in that said first, second and inverse second 
relationships are one-way mappmrj functions. 

76. In a gam'mg system, havmn ,i pi.iycr responsive mode and a player nonresponsive alarm mode, said 
35 system comprising a nonsecure memory having data and validation information, said validation information 

being operativeiy related to the data, said sytem also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 
memory, comprising the steps of : 
id) executing instructions from the secure memory so as to derive a first value representative of the 
AO contents of the nonsecure memory; 

(b) executing instructions from the secure Memory so as to derive a second value representative of the 
validation word; 

lc) ooeratively relating the first ;md second values to provide an indication of system integrity; 

(d) activating said gaming sys'em to said player nonresponsive alarm mode responsive to an indication 
45 of improper system integrity, 

(e) activating seid gaming system to said player-responsive mode responsive to an indication of good 
system integrity. 

77. The method as in Claim 76 further comprising the steps of: 

deriving said first value by means of o function which exhibits the characteristic that changing any of the 
50 contents of the nonsecure memory chonrjes the first value. 

78. The method as in Claim 77: 

wherein said validation word is derived from said first value, further comprising the steps of: 
.determining sa.d second value from said validation word by means of an inverse derivation to that by 
which the validation word is obtained from the first value. 

73. The method as in Claim 76 wherein said first value is derived by 
operativeiy relating said dat.» lo a fust functional mapping; and 

further characterized in that said validation informat.on is operativeiy related to said first value according 
to a second functional mapping, 
wherein said second value is denvrd by 

operativeiy relating said validate, ...formation to an inverse of said second functional mapping 

The method of Claim [,7 or Mi or 76 further comprising the steps of: 
communicating said data and associated validation information to the system from a source external to 
the system; 

storing said communicated d;,t;, ;md associated validation information in said memory 

A method for conuoilmr, the operative mode of a system, having local and remote devices 
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responsive to determined >ntegr>t / of communicated information comprising the steps cf: 

operating upon data information »t iho remole device dCcord:r:g to first and second relationships tc derive 
validation information, 

communicating said data and validation information from the remote device to the local device, 
5 operating upon said data information at the local device, according to said first relationship, to derive a 
first value; 

operating upon said validation information al said local device, according to an inverse of said second 
relationship, to derive a second value; 
controlling the operative mode of the system responsive to opers'ively relating said first and second 
10 va'ues. 

82. The method as in Claim 81 further characterized in that there are a plurality of local devices, wherein 
the step of controlling the operative mode of iho system further comprises the steps of: 

selectively controlling the operative mode of each of said local devices responsive to the operative 
relationships for each respective fir.tr and second values. 
1 5 83. The method as in Claim 81 further comprising the steps of: 

deriving said first value by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory thanpes tho first value. 

84. The method as in Claim 81 -//hftrcin raid validation information is derived from said first value, further 
comprising the steps of : 

2o determining said second value from r.aid validation information by means of an inverse derivation to that 
by which the validation word is otrlDmed from the first value. 

85. 1 he method as in Claim 81 further characterized in that said first and inverse second functional 
relationships are public, and said Jieeorid functional relationship is secret. 

86. The method as in Claim 81 or 85 further characterized in that said first, second and inverse second 
25 functional relationships are one-v/a / functions. 

87. A system for selectively operaimp, in one of a plurality of modes responsive to a determined system 
integrity substantially as herein described with reference to the accompanying drawings. 

88. A system for insuring the integrity of a remotely located downloaded memory substantially as herein 
described with reference to the accompanying drawings. 

30 89. A gaming system substantially as herein described with reference to the accompanying drawings. 

90. A gaming system operable in a player responsive mode and an alarm mode substantially as herein 
described with reference to the ac.ompanyinp, drawings. 

91. A system for insuring the ir regniy of information loaded into the system substantially as herein 
described with reference to the acco'nnanying drawings. 

35 92. A method of controlling the operable mode of a system having a memory with data and validation 
information contents substantially at herein described with reference to the accompanying drawings. 

93. A method for creating a memory having verifiable secure data contents substantially as herein 
described with reference to the ace-o-mpanying drawing 

94. A metnod for verifying the »r v^jnty of a memory having data content and validaton value content 

40 related to said data content by fir^t -md rxcond relationships substantially as herein described with reference 
to the accompanying drawings. 

95. In a system, having a sealed v:f.«>r»« orci. . portion comprising a processor and a first memory, said 
system also having an insecure cir v;it portion comprising a second memory, a method of ensuring the 
integrity of the insecure portion of in*: r,yMern substantially as herein described with reference to the 

45 accompanying drawings. 

96. In a gaming system, having a player responsive mode and a player nonresponsive alarm mode, said 
system comprising a nonsecure memory having data and validation information, said validation information 
being operatively related to the da:?, said system also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 

50 memory, substantially as herein described with reference to the accompanying drawings. 

97. A method for controlling the operative mode of a system, having local and remote devices 
responsive to determined integrity of communicated information substantially as herein described with 
reference to the accompanying cJr&//in;j*.. 
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